Security controls accumulate, as do the costs of security controls. We see this in what is being lumped into ‘cyber hygiene’. We see it in cyber security standards and good practices. The set of security controls being added to government regulations and forceful recommendations. Additions are in each edition and rarely is anything removed.

The urge to accumulate security controls is natural. Most security controls have a logical rationale why they are warranted; why they are good practice. Often the rationale is unrelated to risk, it’s just the right thing to do. The security control could address some scenario that could lead to compromise of some cyber asset.

Once the company, leadership and security team have made the decision to purchase and deploy the security control. If it’s no longer needed, were they wrong? The initial purchase and deployment costs have been paid (note the ARR model is changing this). There may be some annual maintenance, but if the security control is not actively used the annual labor costs are minimal. 

Even if you are willing to admit you were wrong in selecting the control, or the environment has changed. Do you want to be the person who removed a security control when an incident happens? We might have detected or prevented the incident, but Dale decided we didn’t need CyberDefenseX anymore.

We are probably too early in OT security to have a one-to-one policy … eliminate a security control for every new security control. It’s not too early to start looking at what security controls, products and procedures, should be abandoned on a regular, organized basis. As Peter Drucker put it in an entry on cost control.

The question should be ‘would the roof cave in if we stopped doing this work altogether?’ And if the answer is probably not, one eliminates the operation. … They build cost cutting into normal operations. They build into their routines operations organized abandonment.

Peter Drucker